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Abstract 

In the paper we define a notion of quantum resistant ((e, (5)-resistant) hash 
function which combine together a notion of pre-image (one-way) resistance (e- 
resistance) property we define in the paper and the notion of collision resistance 
(5-resistance) properties. 

We show that in the quantum setting a one-way resistance property and colli¬ 
sion resistance property are correlated: the “more” a quantum function is one-way 
resistant the “less” it collision resistant and vice versa. We present an explicit 
quantum hash function which is “balanced” one-way resistant and collision re¬ 
sistant and demonstrate how to build a large family quantum hash functions. 
Balanced quantum hash functions need a high degree of entanglement between 
the qubits. We use a “phase constructions” technique to express quantum hashing 
constructions, which is good to map hash states to coherent states in a super¬ 
position of time-bin modes. The later is ready to be implemented with current 
optical technology. 


1 Introduction 

Quantum cryptography describes the use of quantum mechanical effects (a) to break 
cryptographic systems and (b) to perform cryptographic tasks. Quantum factoring 
algorithm and quantum algorithm for finding discrete logarithm are famous results 
that belong for the first direction. Quantum key distribution, quantum digital signature 
schemes constructions belong to the second direction of quantum cryptography. 

Gottesman and Chuang proposed in 2001 a quantum digital signature protocol [I] 
which is based on quantum one-way function. This is also the case for other protocols 
(see for example H). In [310] we explicitly dehned a notion of quantum hashing as a 
generalization of classical hashing and presented examples of quantum hash functions. 
It appeared that Gottesman-Chuang quantum signature schemes are based on functions 
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which are actually quantum hash functions. Those functions have “unconditionally one¬ 
way” property based on Holevo Theorem [5] . More information on the role of quantum 
hashing for the post quantum cryptography, possible application of quantum hashing for 
quantum signature protocols, and technological expectations for realization of quantum 
signature schemes are presented in [B]. 

Recall that in the classical setting a cryptographic hash function h should have 
the following three properties [7]. (1) Pre-image resistance: Given h{x), it should be 
difficult to hnd x, that is, these hash functions are one-way functions. (2) Second pre¬ 
image resistance: Given xi, it should be difficult to hnd an X 2 , such that h(xi) = h{x 2 ). 
(3) Gollision resistance: It should be difhcult to hnd any pair of distinct Xi, X 2 , such 
that h{xi) = h{x 2 )- Note, that there are no one-way functions that are known to be 
provably more difhcult to invert than to compute, the security of cryptographic hash 
functions is “computationally conditional”. 

Informally speaking, a quantum hash function ^|J [3111] is a function that maps words 
(over an alphabet S) of length /c to a quantum pure states of s-qubits ('0 : —)■ 

and has the following properties: 

1. Function -0 must be one-way resistant. In quantum case this means that k > s. 

2. Function 0 must be collision resistant. In quantum case this means that for diher- 
ent words tc, w' states |0(tc)), |0(tc')) must be “almost orthogonal” (h-orthogonal) 

Hi- 

Quantum collision resistance property cover both second pre-image resistance and col¬ 
lision resistance properties for the quantum setting 

In papers [H |9] we considered a quantum Branching Program as a computational 
model which, we believe, is adequate quantum technological model for presenting a 
quantum communication protocols and quantum cryptographic signature schemes based 
on hashing. 

Our contribution. In the paper we dehne a notion of (e, (5)-hash function where 
values e and 5 are numerical characteristics of the above two properties: (i) one-way 
resistance and (ii) collision resistance properties. The notion of the (e, (5)-hash function 
is an explicit generalization of our constructions M. We show that in the quantum 
setting the one-way resistance property and collision resistance property are correlated: 
the “more” a quantum function is one-way resistant the “less” it is collision resistant 
and vice versa. We present a quantum hash function which is “balanced” one-way 
resistant and collision resistant. In addition we present more discussion that supports 
the idea of quantum hashing from our papers. Note, that a realization of the balanced 
quantum hash function requires the high degree of entanglement between the qubits 
which makes such a state very difficult (or impossible) to create with current technology. 

We present quantum “balanced” hashing constructions based on “phase transfor¬ 
mation” presentation [10] instead of “amplitude transformation” |1]. The phase trans¬ 
formation is required to map quantum hash states into a sequence of coherent states. 
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Note, that quantum signature protocols using coherent states can be practically imple¬ 
mented by now day technology that use only a sequence of coherent states, linear optics 
operations, and measurements with single-photon threshold detectors. See [II1[I21[7] 
for more information and citations. 


2 Quantum (e, 5)-Resistant Hash Function 

Recall that mathematically a qubit is described as a unit vector in the two-dimensional 
Hilbert complex space 'h?. Let s > 1. Let be the 2*-dimensional Hilbert space, 

describing the states of s qubits. For an integer j G {0,..., 2* — 1} let a = Ui... cXs be 
a binary presentation of j. We use (as usual) notations |j) and |cr) to denote quantum 
state |(Ti) ■ • • lus) = |(Ti) (g)... (g) 

We let g to be a prime power and be a hnite held of order q. Let be a set of 
words of length k over a hnite alphabet S. Let X be a hnite set. In the paper we let 
X = or X = Fg. For K = |X| and integer s > 1 we dehne a (iF; s) classical-quantum 
function (or just quantum function) to be a unitary transformation (determined by an 
element tc G X) of the initial state |'0o) ^ ("H^)®* to a quantum state |'i/’(u')) G (?f^)®* 

: {iV^o)} X X ^ \i;{w)) = U{w)\i^o) (1) 

where U{w) is a unitary matrix. We let l-^o) = |0) in the paper and use (for short) the 
following notation (instead the above) 

: X —)■ ("H^)®"^ or i/j : w ^ lt/^('?^)) 

2.1 One-way Resistant Function. 

We present the following dehnition of quantum e-resistant one-way function. Let “infor¬ 
mation extracting” mechanism At be a function At : ("H^)®^ —)■ X. Informally speaking 
mechanism At makes some measurement to state \'ijj) G ("H^)®* and decode the result 
of measurement to X. 

Definition 2.1 Let X be random variable distributed over X {Pr[X = w] : w ^ X}. 
Let 'ijj : ^ ^ ("H^)®^ be a quantum function. Let Y is any random variable over X 
obtained by some mechanism At making measurement to the encoding of X and 
decoding the result of measurement to X. Let e > 0. We call a quantum function ^|J a 
one-way e-resistant function if for any mechanism At, the probability Pr\Y = X] that 
At successfully decodes Y is bounded by e 

Pr[Y = X] < e. 

For the cryptographic purposes it is natural to expect (and we do this in the rest of the 
paper) that random variable X is uniformly distributed. 
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A quantum state of s > 1 qubits can “carry” an infinite amount of information. On 
the other hand, fundamental result of quantum informatics known as Holevo’s Theorem 
[5] states that a quantum measurement can only give s bits of information about the 
state. We will use here the following particular version [13] of Holevo’s Theorem. 

Property 2.1 (Holevo-Nayak) Let X be random variable uniformly distributed over 
a k bit binary words {0, 1}^. Let ^|J : {0, 1}*’ —)■ be an (2^;s) quantum function. 

Let Y be a random variable over X obtained by some mechanism M making some 
measurement of the encoding of X and decoding the result of measurement to {0, 1}^. 
Then our probability of correct decoding is given by 

P'iY -x]<L 

2.2 Collision Resistant Function 

The following dehnition was presented in |1]. 

Definition 2.2 Let 5 > 0. We call a quantum function : X —)■ a collision 

6-resistant function if for any pair w,w' of different elements, 

\{fj{w)\'if{w’))\ < 6. 

Testing Equality. What one needs for quantum digital signature schemes realization 
is an equality testing procedure for quantum hashes |'^(u)) and |'0('?i')) in order to 
compare classical messages v and w] see for example [1]. The SWAP-test is the known 
quantum test for the equality of two unknown quantum states l"^) and l"^') (see [H [3] 
for more information). 

We denote Prs.ujap[v = w] a. probability that the SWAP-test having quantum hashes 
|'0(n)) and |'0('?n)) outputs the result “u = w” (outputs the result “|'0(n)) = I'fiw))”). 

Property 2.2 (|jT]) Let function if : w ^ I'fiw)) satisfy the following condition. For 
any two different elements v,w eX it is true that \{if{v) \ if{w))\ < 6. Then 

Prswap[v = w] < ^(1 + (5^)- 

Proof. From the description of FlFAP-test it follows that 

Prswap[v = «;] = ^ (1 + |(V'(u)|V'(w))p) . 


□ 

The next test for equality was hrst mentioned in [1]. We call this test a REVERSE- 
test [3|. REVERSE-test was proposed to check if a quantum state l"^) is a hash of 
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an element v. Essentially the test applies the procedure that inverts the creation of a 
quantum hash, i.e. it “uncomputes” the hash to the initial state. 

Formally, let for element w the procedure of quantum hashing be given by uni¬ 
tary transformation U{w), applied to initial state |0o)- Usually we let |(/)o) = |0), i.e. 

|'0('w)) = U{w)\0). Then the REVERSE-test, given v and \^jJ{w)), applies U~^{v) to 
the state \'i/j{w)) and measures the resulting state with respect to initial state |0). It 
outputs n = ta iff the measurement outcome is |0). Denote by Prreverse[v = w] the 
probability that the REVERSE-test having quantum state and an element v 

outputs the result v = w. 

Property 2.3 Let hash function ■. w ^ \'ijj{w)) satisfy the following condition. Eor 

any two different elements v,w it is true that \ 'if!{w))\ < 6. Then 

^^reversely — d . 

Proof. Using the property that unitary transformation keeps scalar product we have 
that 

Prreverse[v = w] = \{0\U~^ {v)'ljj{w))\‘^ = \{U~^ {v)'ljj{v) \U~^ {v)'ljj{w))\'^ = \ {fj{v) \ fj{w)) < (5^. 

□ 


2.3 One-way Resistance and Collision Resistance 

The above two dehnitions and considerations lead to the following formalization of the 
quantum cryptographic (one-way and collision resistant) function 

Definition 2.3 Let K = |X| and s > 1. Let e > 0 and 5 > 0. We call a function 
: X — a quantum {e, 6)-Resistant {K] s)-hash function iff is a one-way 
e-resistant and is a collision 5-resistant function. 

We present below the following two examples to demonstrate how one-way e-resistance 
and collision ^-resistance are correlated. The hrst example was presented in [IT] in terms 
of quantum automata. 


Example 2.1 Let us encode numbers v from {0,... 

' 2710 ' 


7p -. V ^ COS 


2k 


|0) -I- sin 


,2^ — 1} by a single qubit as follows: 



Extracting information from l"^) by measuring l"^) with respect to the basis {|0), |1)} 
gives the following result. The function is one-way ^-resistant (see Property 12.ip and 
collision cos (7r/2^“^)-resistant. According to the properties 12.11 and 12.31 the function 
has good one-way property, but has bad resistance property for a large k. 
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Example 2.2 We consider a number v G {0,...,2^ — 1} to be also a binary word 
V G {0,1}^. Let = (Ti... CTfc. We encode v by k qubits: 'll: : v \v) = |(Ti) • ■ • \ak)■ 

Extracting information from \'ip) by measuring \'ip) with respect to the basis {|0 ... 0),..., |1... 1)} 
gives the following result. The function -0 is one-way 1-resistant and collision 0-resistant. 

So, in contrary to the Example 12.11 the encoding 0 from the Example 12.21 is collision 
free, that is, for different words v and w quantum states |'0(n)) and |'0(n)) are orthogo¬ 
nal and therefore reliably distinguished; but we loose the one-way property: 0 is easily 
invertible. 

The following result [1] shows that quantum collision h-resistant {K-,s) function 
needs at least log log K — c{6) qubits. 

Property 2.4 (|j4]) Let s > 1 and ii' = |X| > 4. Let if: : X ^ be a 6-resistant 

{K;s) hash function. Then 

s > log log if - log log -h ^2/(1 - (5)j - 1. 

Properties 12.41 and 12.11 provide a basis for building a “balanced” one-way e-resistance 
and collision (f-resistance properties. That is, roughly speaking, if we need to hash 
elements w from a domain X with |X| = if and if one can build for a 5 > 0 a collision 
(5-resistant (if; s) hash function 0 with s ~ log log if — c{6) qubits then the function / 
will be a one-way e-resistant with e ~ (log if/if). 


3 “Balanced” Quantum Hash Functions Construc¬ 
tions 


We start by recalling some dehnitions, notations, and facts from [15]. For a held F^, 
the discrete Fourier transform of a set ii C is the function 


fsiw) = ^exp 

b&B 


2'ITwb 
i - 


Q 


dehned for every w G Fg. let X{B) = \fB{w)\/\B\. For <5 > 0 we dehne B <L¥g 

to be (5-good if A(ii) < 6. By Bs^q we denote (5-good subset of Fg. For a held Fg, let 
ii C Fg. For every b E B and tc G Fg, dehne a function hf, : Fg — )■ Fg and a family Hb 
by the rule 

hb{w) = bw (mod q), Hb = {hb : b G B}. 

We denote by Hs,q the above set of functions and call Hs,q (5-good if ii = Bs^q is (5-good. 


Theorem 3.1 Let (5 > 0 and q be a prime power. Let Hsq = {hi,..., h^} be 6-good. 
Then for s = log T a function 




1 

vf 


T 

X^exp 


1=1 


2'7ihj{w) 

z 

q 


\j)- 


( 2 ) 
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is a collision 6-resistant (g; s) quantum hash function. 


Proof. Note, that the proof of this theorem in terms of amplitude transformation was 
presented in |3] . The proof presented below is in terms of phase transformation [10] . 

Let Bs^q = {bi,..., br} determines (5-good family Hs^q. We let H = Hs^q in the proof. 
We consider the following quantum function fjH : —)■ of function 'ijjH 


li’Hiw)) 


1 

7t 


T 

^exp 


1=1 


2'Khj{w) 

q 


\ 3 ) 


1 



2'awbj 
% - - 


q 


U). 


The quantum state IV’ir(ti')) composed from s qubits. To show that ^|JH is collision 
(5-resistant (g; s) quantum hash function we prove the collision (5-resistance of fjH- Con¬ 
sider a pair tc, w' of different elements from ¥q and their inner product {'ipuip}) \ 'ipniw')). 
Recall that the inner product of two complex vectors |q;) = (q;i, ..., q;t) and |/5) = 
(/5i,..., (3t) is the sum {a\(3) = Oijl^j where (5j is the complex conjugate of (3j. Us¬ 
ing the fact that the conjugate of is and the fact that B^^q is 5-good we have 
that 

{'iI)h{w)\'iPh{w')) = - ^ exp 


.2'k{w — w')b 


< KB6,q) < 5. 


• In [4] we dehned a set of discrete functions a quantum hash generator if it allow 
to built a quantum hash function. 

In the context of Theorem 13.11 the set Hs^q is a collision 5-resistant hash generator: it 
generates the quantum hash function 'ijjHg ^ ■ 


Optimality of the hashing scheme. The following facts were presented in [15]. Let 
5 = 5(g) be any function tending to zero as g grows to inhnity. Then there exists 5-good 
set Bs^q with |Ryq| = (logg/5(g))'^C)_ Several optimal (in the sense of the above lower 
bound) explicit constructions of 5-good sets Bs^q were presented by different authors. 
For those constructions 


<5(g) 


1 

(logg)'^d) 


and 


Bs,q 


(logg)^(^\ 


The following statement summarize Theorem 13.11 and the above consideration. 


Corollary 3.1 Let q be a prime power, T{q) = (logg)'^^^\ and s = logT(g). Let e{q) = 


T{q)/q and 5(g) = 1/T(g). 
Then 


Let Hs^q be 6{q)-good set of functions with \Hs^q\ = T{q). 


1. fjRsq is “balanced” quantum {e{q),6{q))-resistant quantum (T{q)-, s)-hash function. 
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2. The number s of qubits is good in the sense of the lower bound of Property \2.f 
which gives the following lower bound s > log log g — log log + y/2/d'j — 1. 

We refer to the paper [3] for more information on practical construction of the set 
Hs^q and the Numerical results from genetic algorithm for Hs^q construction. 


Balanced Quantum Hash Function Families. In [1] we offered design, which 
allows to build a large amount of different quantum hash functions. The construction 
is based on composition of classical e-universal hash family [16] and a given family 
Hs^q a quantum hash generator. A resulting family of functions is a new quantum 
hash generator. In particular, we present a quantum hash generator Grs based on 
Reed-Solomon code. 

Let g be a prime power, let k < n < q, let Fg be a finite field. A Reed-Solomon code 
(for short RS-code) is a linear code Crs ■ t (Fg)"' defined as follows. Each word 

w G (Fg)^, w = wqWi ... Wk-i associated with the polynomial Pw{x) = Wix\ Pick 
n distinct elements (evaluation points) A = {oi,..., On} of Fg. A common special case 
is n = g — 1 with the set of evaluating points being A = Fg\{0}. To encode word w we 
evaluate Pw{x) on over all n elements a E A Crs{w) = {Pwi^i) ■ ■ ■ Pw{cin))- 

We dehne family Frs = {fa : a G A} based on RS-code Crs as follows. For a E A 
define fa : (Fg)^ Fg by the rule fa{w) = Pw{,o). Let H^q = {hi,..., hr} be a (5-good 
set of functions, satisfying Corollary 13.11 Composition 


Grs — Frs o Hs^q — {gp : g — hj{fai), hj E Hs^q, fai e Frs} 


is a quantum hash generator. Let s = logn + logT. Grs generates function fjcus • 
(Fg)^ —)■ for a word w G (Fg)^ by the rule 





n,T 

exp 


1=1,j=i 


'.27rgji{w)) 

% 


m 


(3) 


here \lj) denotes a basis quantum state, where Ij is treated as a concatenation of the 
binary representations of / and j. 

Property 3.1 Let q be a prime power and let 2 < k < n < q. Then for arbitrary 
6 E (0,1) the function 'iPgrs A)-resistant (g^; s) quantum hash function, where 

e < (glogg)/g^, A < ^ -|- 5, and s < log (glogg) -|- 21ogl/(5 -|- 4. 

Let c > 1. If we select n = ck, then A < l/c + 5 and according to Theorem 12.41 there 
exist constants ci(A), C 2 (A) such that log (glogg) — ci(A) < s < log (glogg) -|- C 2 (A). 
Thus, Reed Solomon codes provide balanced parameters for resistance values e, A and 
for a number s of qubits for hash function fjRs- 













4 Presenting Quantum Hash States via Coherent 
States 


Written in the form given in (|2]) and ([2]), the hash states G w G 

Fq, and |'0ij5(ta)) G w G (Fg)^, need high degree of entanglement between s 

qnbits which is hard for the current technology. Papers [mini [7] consider the idea of 
presenting quantum hngerprinting states via coherent states and developed signature 
constructions based on such coherent states. 

Following idea from mn we map the hash state G ("H^)®^ for tc G Fg 

to a coherent state as follows. For short we let FT^g = FT in the rest of the section. Let 
T = 2®. First, we dehne hash mode (iF-hash mode) aH,w as 


T 


aH,w = V] exp 
VT 


.27ihj{w) 


bj, 


where bj G {6i,..., 6 t} is the annihilation operator of the jth optical mode. Hash state 
is a single-photon state in the hash mode: {'ipniw)) = aH,w\0). 

Next, we dehne coherent hash state as = DH,w{<y)\0), with parameter a, 


where Dh,w{c() = exp 




is the displacement operator. According to 


we have that the state {'ipniw)) is mapped to |a, 


T 

\a,ipH{w)) = 

exp 

.27ihj{w) 


i=i 



a \ 


VT/; 


where 


exp 


. 2iThj {w) 1 a \ 


is a coherent state with amplitude ^ in the jth mode. 


Similarly one can map the hash state VRsiw)) G (Ff^)®* with w G (Fg)^ to a 
coherent state. 

In the next paper we will present a variants of quantum signature schemes based on 
quantum hash functions different from quantum hngerprinting function. 
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